aaa authorization and aaa accounting with Cisco ACS and 1231 AP's

I am trying to get aaa authorization working so that I can get Cisco
Secure to dole out dhcp according to username but I can't find an
example config on the cisco site.

I struggled with aaa accounting as well but I managed to get that to
work when I added "accounting method_list" to the ssid.

If anyone has any useful config examples of either of these I would be
grateful ?

Drop the ZZZ to reply

Cheers ...

Chris,

I'm afraid you're barking up the wrong tree here.

ACS can hand out IP addresses using the RADIUS
Framed-IP-Address, but this works only in cases where
the RADIUS client has some mechanism to hand the IP address
to the end user.

Some such RADIUS clients are PPP (which can give the end user
the address via IPCP) and I believe IPsec VPN.

However, an AP *cannot* take a Framed-IP-Address from RADIUS and
hand it to a wireless client. In theory, one could imagine a feature
wherein the AP takes that IP address from RADIUS and sticks it into
an ephemeral client-specific DHCP binding, to be handed out via
DHCP when/if that particular client asks for a DHCP address.
However, we don't support any such feature and as far as I know have
no plans to implement it.

Best,

Aaron

Thanks for clarifying that for me Aaron, I had my suspicions that it
may be something like that as I had exhausted all avenues of
investigation.

I am assuming that tacacs+ will not poeform the task either ?

The reason I looked into this originally was because I need to hand
out IP addresses on a per vlan basis but when I have set up a lab with
diferent (physical) dhcp servers connected to their coresponding vlans
the clients don't always get the right address.

If you can shed any light on this I would be grateful ?



On 26 Jul 2005 12:09:34 -0700, "aaron@cisco.com" <aaron@cisco.com>
wrote:

>Chris,
>
>I'm afraid you're barking up the wrong tree here.
>
>ACS can hand out IP addresses using the RADIUS
>Framed-IP-Address, but this works only in cases where
>the RADIUS client has some mechanism to hand the IP address
>to the end user.
>
>Some such RADIUS clients are PPP (which can give the end user
>the address via IPCP) and I believe IPsec VPN.
>
>However, an AP *cannot* take a Framed-IP-Address from RADIUS and
>hand it to a wireless client. In theory, one could imagine a feature
>wherein the AP takes that IP address from RADIUS and sticks it into
>an ephemeral client-specific DHCP binding, to be handed out via
>DHCP when/if that particular client asks for a DHCP address.
>However, we don't support any such feature and as far as I know have
>no plans to implement it.
>
>Best,
>
>Aaron

Drop the ZZZ to reply

Cheers ...

> Thanks for clarifying that for me Aaron, I had my suspicions that it
> may be something like that as I had exhausted all avenues of
> investigation.

> I am assuming that tacacs+ will not poeform the task either ?

I don't think you can authenticate wireless EAP clients against
Tacacs+, only RADIUS, but in any case, this has nothing to do with
the AAA protocol used between the AP and the AAA server, but
with the capabilities of the AP to assign an address to the wireless
client.

> The reason I looked into this originally was because I need to hand
> out IP addresses on a per vlan basis but when I have set up a lab with
> diferent (physical) dhcp servers connected to their coresponding vlans
> the clients don't always get the right address.

I don't know why your DHCP servers didn't assign the right addresses
- this should not be a problem. I'd recommend that you focus on fixing
this configuration.

Btw, one thing you *can* do is to have ACS assign a wireless client
to a VLAN on a per user basis. This flexibility is useful to some.
Of course, you still have to have DHCP working right on the VLANs.

Regards,

Aaron

Thanks for your input Aaron .. it is appreciated

I will set the original vlan configuration up again and try to get
that running.

On 27 Jul 2005 12:25:32 -0700, "aaron@cisco.com" <aaron@cisco.com>
wrote:

>> Thanks for clarifying that for me Aaron, I had my suspicions that it
>> may be something like that as I had exhausted all avenues of
>> investigation.
>
>> I am assuming that tacacs+ will not poeform the task either ?
>
>I don't think you can authenticate wireless EAP clients against
>Tacacs+, only RADIUS, but in any case, this has nothing to do with
>the AAA protocol used between the AP and the AAA server, but
>with the capabilities of the AP to assign an address to the wireless
>client.
>
>> The reason I looked into this originally was because I need to hand
>> out IP addresses on a per vlan basis but when I have set up a lab with
>> diferent (physical) dhcp servers connected to their coresponding vlans
>> the clients don't always get the right address.
>
>I don't know why your DHCP servers didn't assign the right addresses
>- this should not be a problem. I'd recommend that you focus on fixing
>this configuration.
>
>Btw, one thing you *can* do is to have ACS assign a wireless client
>to a VLAN on a per user basis. This flexibility is useful to some.
>Of course, you still have to have DHCP working right on the VLANs.
>
>Regards,
>
>Aaron

Drop the ZZZ to reply

Cheers ...